Modern building control systems comprise a large number of devices, for example sensors, lights, valves, HVAC equipment and security equipment. In the context of the present invention these devices are referred to as host devices. The most advanced buildings are approaching one host device installed per square meter. The commissioning of building control systems is increasingly labor intensive and prone to errors. For example, it has been shown that the technical installations in 70% of the utility buildings in the Netherlands do not function according to specification, causing an increase in energy consumption of 25%.
Commissioning of building control systems involves the configuration of the host devices. The configuration of host devices comprises amongst others the exchange of configuration data between a configuration device and the host device in order to configure said host device. For example, the configuration device may be an installation device which transmits configuration data to a host device via an RFID connection. These configuration data may comprise network parameters which enable the host device to join a network, for example a Wi-Fi network, via a further communication link. Furthermore, the configuration data may comprise configuration parameters necessary for pairing devices or establishing a control relationship between devices, for example. Operations such as joining a network, pairing devices and establishing a control relationship between devices are referred to as configuration operations.
It is noted that, in the context of the present invention, a complete system comprising for example sensors, actuators, and controllers used to control HVAC, lighting, security, and safety in a building is called a building control system (BCS). A component (e.g. a computer) or a subsystem of the BCS that is used to commission the BCS initially and possibly to (partially) re-commission it later is referred to as a building commissioning system.
Typically, the exchange of said configuration data is facilitated by a radio frequency identification (RFID) tag coupled to the host device. This RFID tag may be a connected tag which has a wired data connection with a microcontroller (host controller) of the host device or an unconnected tag which does not have such a wired data connection. In case of a connected tag, network parameters are typically written to the tag by an installation device via an RFID connection. Subsequently, the network parameters are read by the host controller via the wired data connection. The network parameters can then be used by the host controller to join the network via a further communication link, for example via a Wi-Fi connection. In case of an unconnected tag, network parameters are typically read from the tag by an installation device via an RFID connection. Subsequently, the installation device incorporates the host device securely into the network via a further communication link, for example via a Wi-Fi connection.
In both cases, however, malicious parties may gain access to the network parameters, which is detrimental to the overall security of the network. Several attack scenarios are possible. For example, an unauthorized person who is visiting a public building, could read out the network key of (part of) the building control system from a host device (e.g. a sensor) and thereby gain access to the network and potentially also to confidential information sent around in this network. Similarly, a malicious visitor could disjoin devices from the legitimate building network and join them into his own network instead, thereby taking control over part—or whole—of the building control network, and imperceptibly adapt the behavior of the existing network and/or extract information about the building and/or its inhabitants.